New Evasion Techniques in Web Skimmers

Data has become extremely valuable, and one of the most valuable types is payment card data. As a result, cybercriminals are inventing new ways of performing credit card fraud using malware.


While cybercriminals can steal personal data in a number of different ways, the web skimmer has become a very visible malware variant in recent years. This malware, like that used by the famous Magecart Group, steals the payment card data entered by a user into a legitimate website’s payment portal. Recently, a new web skimmer variant has been discovered that uses new techniques to hide its presence from investigators.


What is a Web Skimmer?

The value of payment card data on the black market means that skimmers can, unfortunately, be found anywhere that credit and debit cards are used. A physical credit card skimmer may be connected to a gas station pump or ATM (anywhere where the payment mechanism isn’t closely monitored by staff) and reads data off of cards inserted into it. Point of sale (PoS) terminals are a common target of skimming malware, which makes a copy of payment card data as a card is swiped through the machine.


With the rise of e-commerce and online shopping, web skimmers have become popular as well. A website can contain a variety of different types of content, including HTML (the bones of the site), CSS (which defines its style), and scripts (which provide interactivity, animation, etc.). The HTML standard allows all three types of content to be combined in a single document or for an HTML page to import functionality from another file.


Web skimmers take advantage of this functionality for malicious purposes. An attacker-controlled script is inserted into the webpage in some way and attaches itself to the “Make Purchase” button (or whatever it is called on a particular site). When that button is pressed, the malicious script runs and collects the payment card data entered into the site. This data is then packaged up and sent to an attacker-controlled machine for later use or resale.


New Ways Web Skimmers Hide

For web skimmer authors, one of the biggest challenges that they face is hiding their malicious code and communications from detection. In order to be effective, their malicious code needs to be embedded somehow in a legitimate site, meaning that someone carefully inspecting the code associated with the webpage could detect and remove it.


Recently, a security researcher discovered a web skimmer that was using steganography to hide its malicious code. Steganography is the practice of hiding a secret message, the skimmer in this case, within a benign-looking image or other file. Since most people and tools looking for malicious code on web pages focus on HTML and JavaScript files (which are most likely to contain script code), the use of an image file as a carrier helps the malware to evade detection.


This image, which appears to be a “Free Shipping” logo or other innocuous image, contains code that uses the WebSocket protocol to connect to a command and control server. After communicating with the server for a little while, the malware downloads a chunk of Base64-encoded code. This code implements the actual credit card skimmer used by the malware.


This web skimmer design provides several different advantages to the author. First, the use of steganography and the WebSocket protocol decreases the probability that the presence of the malicious code will be detected. Secondly, the actual credit card skimming code is not embedded in the infected website, meaning that analyzing it requires an additional step to fetch the code. Thirdly, making use of an embedded downloader allows the malware author to continue to develop the code without needing to upload revised versions to the infected site (which could be detected); the only update required is to change the version of the cost hosted on the attacker-controlled command and control server.


Identifying and Protecting Against Web Skimmers

While web skimming code has been around for some time now, the very visible success of the Magecart Group, including a hack of British Airways that resulted in a record-breaking GDPR fine, has brought it to greater visibility. With this visibility also comes numerous other groups trying to capitalize on the success of the Magecart Group and get their piece of the web skimming market.


Competition in web skimming, and an increased focus due to the number of successful attacks, has led to innovations in this type of malware. The use of steganography to hide the malicious code in image files is only the latest example of this. While these improvements do not make the malware undetectable, they raise the bar for organizations attempting to identify and eliminate it on their sites.


One of the challenges of dealing with web skimmers is the fact that all of the malicious functionality occurs on the client’s side, meaning that the server does not see the malicious connections at all. As a result, preventing web skimmer attacks requires the ability to identify the malicious code when it has infected a page (which is growing more difficult with the use of steganography) or to prevent the code from infecting a website at all.


Embedding a web skimmer in a web page requires the attacker to have the ability to modify the page on the server. This is typically accomplished by taking advantage of known vulnerabilities, like cross-site scripting, on the server. Deploying a strong web application firewall (WAF) that is capable of identifying and blocking these attacks can help protect an organization against web skimmers.